The back door
The back door

Security researchers have discovered a number of bugs in EMC products that could enable hackers to gain control of target systems.

According to an advisory published on Full Disclosure, versions prior to 6.8 of the EMC Secure Remote Support (ESRS) Policy Manager are affected by a high severity vulnerability. It was found by Travis Emmert from Salesforce.

One bug, tracked as CVE-2017-4976, was due to an undocumented account that could potentially be leveraged by malicious users to compromise the affected system.

“EMC ESRS Policy Manager contains an undocumented account (OpenDS admin) with a default password. A remote attacker with the knowledge of the default password may login to the system and gain administrator privileges to the local LDAP directory server,” the company said.

EMC said that customers should change the default password at the earliest opportunity.

Another advisory detailed a few flaws in EMC's Data Protection Advisor data protection management software. This has been hit by a number of blind SQL injection flaws (CVE-2017-8002) that can be exploited by a remote, authenticated attacker to gain access to data by executing arbitrary SQL commands.

There is also a path traversal weakness (CVE-2017-8003) that can be exploited by a high privileged user to access information from the underlying OS server by supplying specially crafted strings in input parameters of the application.

Customers of EMC have been advised to update EMC Data Protection Advisor to version 6.4 as soon as possible.

A third advisory, noted by Securiteam, and discovered by independent security researcher Nahuel D. Sánchez from vvvSecurity, found a remote command injection vulnerability in EMC IsilonSD Edge Management Server.

A remote authenticated attacker can misuse IsilonSD management tools (located at https://:5480) to execute arbitrary OS commands. The vulnerability relies on the lack of backend validation when the network configuration is performed. The researchers said there is some kind of front end validation which can be bypassed.

“If an attacker accesses the application and changes the hostname to something like ‘localhost; uname -a' the ‘uname -a' command will be executed with root privileges,” said Securiteam in a blog post.

The firm also released a proof of concept for the bug.

Paul Farrington, manager of EMEA Solution Architects at Veracode, told SC Media UK that although SQL vulnerabilities have been around for more than a decade and regularly featured in the OWASP Top 10 list (the widely accepted standard for application security), they continue to expose enterprises to large-scale breaches and brand damage. 

“Despite the notoriety of this class of vulnerability, its prevalence is disturbingly high. Veracode analysed data from its cloud-based application security platform and found that approximately a third of applications contained at least one SQLi vulnerability,” he said.

“The prevalence of these vulnerabilities creates an easy entry path for cyber-criminals as in addition to being easy to find and fix using automated static analysis tools, they are exceedingly simple to find and exploit. The goal for all companies should be to remove all critical SQLi vulnerabilities from their applications by integrating application security procedures and tools into their development processes.”

Andrew Clarke, EMEA director at One Identity, told SC that this is an example of insufficient administrative controls. “A privileged access management solution that has the capability to establish restricted command profiles and restrict the commands that can be executed during a session, and/or put notifications in place when specific commands are executed, is a valuable tool to mitigate such a vulnerability,” he said.

Update: Dell EMC said in a statement to SC Media UK: “Vulnerabilities were reported to Dell EMC privately by ZDI, a third party, as part of coordinated disclosure industry practice. After Dell EMC validated the reports, the fixes were released as part of the Data Protection Advisor 6.4 release. We issued a security advisory to our customers via support.emc.com on July 5, and made an additional disclosure posting  July 6 as part of our standard process as a  CVE Numbering Authority. As a result, these vulnerabilities are no longer an issue for customers who follow our recommended fixes or are using the latest version of the software. Regarding the IsilonSD Edge claims, we have seen the reported vulnerability and are working to validate its accuracy.”

Update 2: Dell EMC has issued another statement: “A potential vulnerability was recently disclosed to Dell EMC by third-party researchers regarding EMC IsilonSD Management Server. Based on the current product design and our investigation, we believe the reported issue adds no additional security risk to the customer environment. The only way to exploit the vulnerability is with admin privileges, which the vulnerability does not provide and which should be highly protected in any Isilon deployment.”